Professional Documents
Culture Documents
internal
&
A U D I T I N G
controls
30
EXHIBIT 1
Costs of Being Small
S7,647
$5^82
$190,000
$159,000
Sources: W. Mark Crain, The Impact of Regulatory Costs on Small Rrms, SBA Office of
Small Business Advocacy, www.sba.gov/advo/researcli/rs264totpdf,
2005; Association of
Certified Fraud Examiners, 2006 Report to the Nation on Occupational Fraud and Abuse,
vwwv.acfe. com/fraud/report asp.
EXHIBIT 2
Top 10 Characteristics of Small Businesses
Likely to Benefit from Applying COSO SPG
5. business.
6. Lack of attention to background screening or employment policies.
7. A "black box" information system with no useful management reports.
8. An organizational structure that complicates the supervision process.
9. Complicated regulatory reporting issues.
No audit
31
Although PSRS had security policies established, management and the employees ignored several important ones.
When asked for a copy of company policy, it was unavailable. When reperforming the totals as part of a forensic
investigation, bank deposits were often missing signatures,
and at times the signatures approved miscalculated totals or
incomplete deposit slips. These results suggest that some
policies were merely perfunctory and clearly not enforced.
A single employee had the opportunity to set checks aside
because she was the only one who picked up the mail. She
never relinquished the mailbox key, even when repeatedly
instructed to do so. Days after giving birth, the employee was
back at the office, picking up the mail and the insurance
copayments from the physical therapists' offices. Even when
she worked only part-time, she always held on to these two
tasks. Management did not segregate these duties, and there
were no safeguards in place to monitor her activities.
The method of defalcation was a traditional lapping
scheme. Checks were set aside by the employee after the
mail was opened at the office and were used later to substitute for cash on the bank deposit slip. The bank deposit was
altered to include the checks set aside for the same amount
as the cash collected. The copy of the deposit slip at the
office was not the same as the one used at the bank. The
manager would check to see If the totals deposited and the
32
Control Environment
^Minutes
FOCUSED
LEGAL
COUNSEL
assessment, yet they often fail to adequately transfer these concepts to their
own businesses. Although the risk of noncompliajice with GAAP is an important
concept, many small businesses use cashbasis accounting, and therefore should
focus on fraud risk rather than on financial reporting objectives and risks. In
this respect, a CPA has a twofold role:
to understand how the fraud triangle
opportunity, pressure, and rationalizationaffects both the business and how
the business must pay attention to the
dynamic nature of these factors in its
employees. Moreover, a CPA should
ensure that a client understands whatever fraud risks are unique to the industry,
the location, or the broader economy.
Control Activities
Because CPAs in this context are not
providing attest services, they should be
particularly involved in helping clients
identify control activities that facilitate
delaware
ncorporation
new york
incorporation
nort-iawyer
incorporation
online service
y/
Custom Bylaws
t/'
^^
t/
*^
^f
n/a
n/a
n/a
(I/a
i/
y/
t /
^^
^^
\^
i/
^f
^^
\^
\^
v/
.d3'S>it,.
.**53k.
1^250.
^,250
$1,2^;
^/
y^
^^
1/
^/
www.eMmutes.coni
_:^
33
EXHIBIT 3
Roadmap for Applying Principles in
Achieving Effecfive Infernal Control in
Small Businesses
Control Environment
Integrity and ethical values
Board of directors
Management's philosophy and
operating style
Organizationai structure
Risk Assessment
Financial reporting objectives
Financial reporting risks
Fraud risk
Control Activities
Integration with risk assessment
Selection and development of
control activities
m Policies and procedures
Information fechnology
Information and Communication
Financial reporfing information
Internal control information
m Internal communication
u Exfernal communication
Monitoring
Ongoing and separate evaluations
Reporting deficiencies
Note: Adapted from Internal Control over
Rnancial ReportingGuidance for
Smaller Public Companies, COSO, 2006.
34